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STS-51 PAD ABORT FINAL REPORT 
- INTRODUCTION - 


The STS-51 initial launch attempt of Discovery (OV-103) was terminated on KSC launch 
pad 39B August 12, 1993 at 9:12 AM E.S.T. due to a sensor redundancy failure in the 
liquid hydrogen system of ME-2 (Engine 2033). The event description and timeline are 
summarized in Table 1. 

Propellant loading was initiated on 12 August, 1993 at 12:00 AM EST. All SSME chill 
parameters and Launch Commit Criteria (LCC) were nominal. At engine start plus 1.34 
seconds a Failure Identification (FID) was posted against Engine 2033 for exceeding the 
1800 gpm intra-channel (A1-A2) Fuel Flowrate sensor channel qualification limit. The 
engine was shut down at 1.50 seconds followed by Engines 2032 and 2030. All shut 
down sequences were nominal and the mission was safely aborted. Figure 1 depicts the 
Fuel Flowrate sensor channel disqualification and Figure 2 depicts the abort 
profile/overlay for all three engines. 

SSME Avionics hardware and software performed nominally during the incident. A review 
of vehicle data table (VDT) data and controller software logic revealed no failure 
indications other than the single FID 111-101, Fuel Flowrate Intra-Channel Test Channel 
A disqualification, Figure 3. Software logic was executed according to requirements and 
there was no anomalous controller software operation, Table 2. 

Immediately following the abort, a Rocketdyne/NASA failure investigation team was 
assembled, (Table 3). The team successfully isolated the failure cause to an open circuit 
in a Fuel Flowrate Sensor. This type of failure has occurred eight previous times in 
ground testing. The sensor had performed acceptably on three previous flights of the 
engine and SSME flight history shows 684 combined fuel flowrate sensor channel flights 
without failure. 

The disqualification of an Engine 2 (SSME No. 2033) Fuel Flowrate sensor channel was 
a result of an instrumentation failure and not engine performance. All other engine 
operations were nominal. This disqualification resulted in an engine shutdown and safe 
sequential shutdown of all three engines prior to ignition of the solid boosters. 
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TIME FROM ENGINE START 




DISCOVERY STS-51 ABORT 

SSME TIMELINE 
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DISCOVERY STS-51 ABORT 

ENGINE STATUS WORD 
ME-2 (2033) 
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Team Recommendations 
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STS-51 ON-PAD ABORT 
TEAM FINDINGS & RECOMMENDATIONS 


Tables 1 and 2 summarize key recommendation in response to the investigation findings 
as related to the sensor. Hotfire testing should be expedited on the current redesigned 
(new potting material) sensor in parallel to initiating production fabrication for incorporation 
into the fleet. Close attention to production implementation coupled with successful 
hotfire test results could support fleet implementation next spring. 

Table 3 summarizes key recommendations in response to the investigation findings as 
related to the software. Table 4 addresses generic issues brought to light during the 
investigation. 
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STS-51 ABORT 

TEAM RECOMMENDATIONS - SENSOR 
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TABLE 1 


STS-51 ABORT 

TEAM RECOMMENDATIONS - SENSOR REDESIGN 
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STS-51 ABORT . 

TEAM RECOMMENDATIONS - SOFTWARE 
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TABLE 3 


STS-51 ABORT 

TEAM RECOMMENDATIONS - GENERIC 
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FAILURE TREE ANALYSIS/FAILURE SCENARIO 


FAULT TREE 

T 

The fault tree for the STS-51 fuel flow sensor intra-channel check limit violation is 
shown in Figure 1 . The tree is divided into the major branches which distinguish two 
possible failure modes, 1) a flowmeter mechanical failure preventing required stimulus 
of the flow sensor and no sensor output, Figure 2, or 2) an electrical failure preventing 
proper sensor output to the controller or proper output processing by the controller and 
attendant software, Figure 3. 

A third major branch considered was a failure producing fuel flow levels (meter thru 
flow) below the sensible range of the flow sensor. This was immediately eliminated as 
a credible failure in-as-much-as all engine and hydrogen pump performance 
parameters were normal and three of the four flow sensory coil outputs were normal, 
indicating normal meter thru flow rates. 

The tree identifies all components that could have contributed to failure in these major 
branches and then specific failure modes in each component. Components were 
eliminated or confirmed as failure candidates by post abort testing, data review, 
hardware removal with special test and disassembly and system data analysis. 

Shaded boxes in Figure 1 depict failure modes and failure components not 
contributing to the flow sensor limit violation. The unshaded boxes in Figure 1 depict 
the most probable failure path(s) leading to the sensor output violation. The fuel flow 
sensor coil A lead wire was identified as the failed component via special tests at the 
supplier and subsequent sensor disassembly observed by the Rocketdyne and NASA 
failure team personnel (see sections 4.0). The component failure is the probable 
result of a generic design deficiency in the application thermal environment but may 
have been influenced by workmanship factors resulting from a five year break in 
production fabrication of this component. 

The following discussion delineates the specific facts and factors leading to the 
elimination of the shaded boxes in Figure 1 . 


Mechanical Failure 


Mechanical failure would cause erroneous output due to slowing or stoppage of the 
flow meter rotating parts. This could be caused by contamination, bearing failure, or 
rotor blade failure. 


RSS-8912 

3-2 


RSS8912 

12-7-83 


18 


Flow Rotor Failed To Turn or Blade Failure 

The flow meter mechanical system was found to be operating correctly as indicated by 
three of the four flow sensing coils, Figure 4. 


Electrical Failure 

Electrical failure divides into three possibilities: Controller, Sensor, or Harness, Figure 
3. 

No problems were observed during the trouble-shooting with any of the electrical 
components post abort (PR2033-0142). The controller was used to perform numerous 
sensor checkouts. These were done while moving the harness and connector. As 
part of the trouble-shooting the connector at the sensor was removed and the 
controller correctly identified the sensor was not installed. A different sensor was 
installed and again the checkouts were normal, and no failure was indicated using a 
good sensor. 


Controller 

The controller branch includes software and hardware. Software is the executable 
program which was loaded into the computer memory. All other controller related 
functions are considered to be hardware. 

The controller and software were found to be operating correctly post abort with no 
problems identified during any of the checkouts. 


Software 

The software used in controller U/N F42 (ME-2) was the same as that used for ME-1 
& 3 controllers for this flight. The software was verified at the Huntsville Software Lab 
prior to delivery to Kennedy Space Center and is functionally identical to that used in 
the other controllers. The data review post abort verified the response to the input 
data was correct and there were no self checking parity errors indicating memory 
upsets. 


Controller Hardware 

This branch includes electronics and wiring. Electronics are the electronic 
components not including the wiring. Wiring is considered to be the wires connecting 
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the electronic components within the controller. 

The controller was used to do the initial trouble-shooting of the sensor and harness by 
running sensor checkouts after the abort and operated normally (IPR2033-0142). 
Although this gave some confidence that the controller was good, the controller was 
removed and sent to Honeywell for further testing. 


Controller Electronics & Wiring 

The following tests were conducted at Honeywell to further eliminate controller U/N 
F42 as a potential cause for the sensor output failure: 

• Baseline Functional Testing 

Continuity check of sensor input circuit 
Pulse Rate counter check-out 

• Environmental testing while performing functional tests 

Cold start thermal cycle and two high voltage thermal cycles 

Vibration testing in each of three axis: 10 minutes @ 3.5 Gs, 3 
minutes @ 7 Gs, 10 additional minutes @ 3.5 Gs (Total of 69 minutes 
of vibration testing) 

• Acceptance Functional Testing 

During all of the testing the controller performed to specification. All testing was 
performed while monitoring the fuel flow circuits for overvoltage which could damage a 
flow coil - no anomalies were detected. 

The results for these tests are documented in Honeywell Customer Engineering Letter 
Number 3-SSEC-2332 (see appendix). 


Controller Induced (Failure Of The Sensor) 

A circuit analysis was conducted to determine if the controller could produce a failure 
in the sensor. The minimum current required to fuse the sensor coil wire is 500 
mAMPS. The worst case direct short to the coil would be a maximum of 80 mAMPS 
at minimum temperature. This is a short between the Logic Supply Voltage through 
the Pulse Rate Converter o * the 1E3 card to the sensor coil. 

The sensor checkout circuit was reviewed and since the sensor A2 coil is isolated 
electrically from the checkout voltage it was eliminated as a possible cause, Figure 5. 
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H arnes s 


The connector is considered to be the mechanical source which connects to the 
adjoining components and the connection wire. 


Connectors 


The connectors were visually inspected and no evidence of mechanical damage was 
noted (Figure 6). Once demated no evidence was noted of bent or broken pins. 

During sensor checkout post abort the connectors were wiggle checked with no 
problems (IPR2033-0142). 

The connectors were disconnected and the standard post installation checkouts 
(continuity and insulation resistance) were performed with no problems. This testing is 
documented in KSC TPS 2033-050. 


Harnes s W ire 

The wire harness was visually inspected and no evidence of mechanical damage was 
noted. The harness was wiggle checked during sensor checkout post abort with no 
problems (IPR2033-0142). 

The harness was disconnected and the standard post installation checkouts (continuity 
and insulation resistance) were performed with no problems. This testing is 
documented in KSC TPS 2033-050. 


Sensor 

Failure modes were divided into magnet and wire. 


Sensor Magnet 

The magnet was eliminated since the A1 coil which is coincident with the failed coil 
was providing a normal signal. This is documented in the FUEL FLOW A1 & A2 
FLT051A1 data plot. Furthermore, subsequent sensor diagnostic and disassembly 
revealed no magnet anomalies. 
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Sensor Wire 


During testing at Rosemount the wire in the A2 side of the sensor was verified to 
make contact at ambient conditions but would be open when chilled. This is 
consistent with the failure (Figure 7). The final analysis identified that potting 
compound cracks were the reason for the failure which can be considered a design 
deficiency. Workmanship problems were also identified which could have contributed 
to the early failure. This will be documented in Rocketdyne UCR/FAR A032605 and 
Rosemount disassemble report D9330225. 


Summary 


All possible causes for the fuel flow sensor output disqualification failure have been 
identified and addressed in the fault tree. The systematic failure investigation results 
have concluded that an open circuit broken A-2 coil wire resulting in no A-2 coil output 
at operating conditions was the direct cause of the identified failure. 

Based on the evidence completed in the investigation and application of the fault tree 
logic the most probable failure scenario is summarized in Figure 8. 
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FUEL FLOW MEASUREMENT 

LAYOUT AND PRINCIPAL OF OPERATION 
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FUEL FLOW SENSOR CHECKOUT 






STS-51 PAD ABORT 

ME-2 (ENGINE 2033) FUEL FLOW SENSOR 
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FUEL FLOW SENSOR CHECKOUT 

DETERMINE SENSOR INTEGRITY 
BOTH SENSOR CIRCUITS ON EACH CHANNEL 
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TEMPERATURE DEPENDANT FAILURES 




STS -51 PAD ABORT (ENGINE 2033 ) 

FAILURE SCENARIO 
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Section 4.0 


Flow Sensor Failure Analysis 
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TRANSDUCER FAILURE ANALYSIS 
SUPPLIER "AS RECEIVED" INSPECTION 

The transducer was hand carried to Rosemount, Inc. in Eagan, MN by Kelly Geroux 
and Brian Luther of KSC. The failure analysis was directed by Ernesto Acosta 
(Avionics) and Jeff Fink (ME&T) from Rocketdyne and Wesley Thompson (S&E 
Instrumentation) and Rob Lamdon (Materials) from NASA MSFC. The hardware 
evaluation began on 16 August 1993. No abnormalities were noted during the visual 
inspection of the external surfaces of the part. The probe tip and electrical connector 
exhibited no evidence of damage. 

ELECTRICAL FUNCTIONAL CHECKS 

The initial testing of the unit was restricted to non-environmental conditions so as to 
minimize the chance of introducing a fault not originally present. The test parameters 
match those used during the original production acceptance testing (except in the 
case of x-ray which is not required). The tests included coil impedance (resistance 
and inductance), output calibration, simulated output, insulation resistance, dielectric 
withstanding voltage, and isolation resistance. The resulting data was compared wit 
the corresponding original build values. The two coils exhibited similar characteristics 
All parameters repeated within normal limits and are tabulated below: 

con »i Coil n 


Test 

Units 

Current 

Orifl. AIR 

b&tl 

Current 

Orifl. ATP 

A(£l 

Resistance 

Ohms 

1282.43 

1268.73 

♦1.1 

1285.41 

1271.41 

+1.1 

Inductance 

Henries 

0.169 

0.169 

0 

0.169 

0.169 

0 

Output ®100Hz 

Volts AC 

1.03 

0.975 

♦5.6 

1.05 

1.00 

♦5.0 

Output ©200Hz 

Volts AC 

2.10 

2.08 

♦1.0 

2.15 

2.10 

♦2.4 

Output ©300Hz 

Volts AC 

3.20 

3.20 

0 

3.22 

3.25 

-1.0 

Output ©400Hz 

Volts AC 

4.40 

4.50 

-2.2 

4.50 

4.55 

-1.1 

Output ©500Hz 

Volts AC 

5.70 

5.60 

+1.8 

5.80 

5.70 

♦ 1.8 

Simulated output 

Volts AC 

n/a 

n/a 

n/a 

7.67(1) 

3.72 

n/a 

IR 

Megohms 

28K 

30 K 

-6.7 

28K 

30 K 

-6.7 

DWV 

Microamps 

<100 

<100 

0 

<100 

<100 

0 

Coil Isolation 

Megohms 

n/a 

n/a 

n/a 

>100 

>100 

0 


(1) Operator error resulted in incorrect frequency (5kHz instead of 500 Hz) 
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In addition, the part Fig. 1 was subjected to real time micro-focus x-ray examination as 
a non-destructive technique for assessing evidence of internal anomalies. The 
32AWG wires were clearly visible, however, the individual 45AWG coil wires were not 
apparent. A "spiral like” feature observed on the x-ray image, but within the coil below 
the potted lead wire area, could not be positively identified as a potting crack or 
correlated to any coil feature. 


ENVIRONMENTAL TESTING 

The next phase of evaluation included those tests from the build and acceptance test 
procedure with environmental extremes of temperature and vibration. The first 
indication of a problem surfaced during the "Coil Isolation" test actually performed in 
the preceding section. After chilling the unit and checking it electrically, the operator 
swapped test leads and checked for continuity on both coils. Coil #2 was found open, 
however, it was not known at what point the open actually occurred as the equipment 
monitors only the coil to coil isolation. The fact that the open circuit was reproduced 
using the thermal cycle fixture suggested that a temperature chamber might provide 
greater control over rate, thereby permitting detection of the actual conditions at which 
the open occurs. During the chamber thermal cycling the continuity of both coils was 
continuously monitored. Coil #2 opened during the first cycle in LN2 at approximately 
25°C (coil resistance measured 1225Qto 1227Q). 

Stray capacitance measurements were performed on the various connector leads in 
an attempt to ascertain the location of the probable wire break. The resulting data is 
tabulated below and the low relative capacitance (0.1 nF) points to a open in the 
vicinity of the pin #3 lead: 


Capacitance Values(nF) 

Pin Connections Room Temperature 14*C (Coil #2 Open) 


1 - 3 

22.3 

0.1 

2 - 3 

26.2 

0.1 

2-4 

22.4 

22.4 

1 - 4 

26.2 

26.2 


Confirmation of a fault permitted the deletion of the remainder of the tests, including 
vibration and extended thermal testing. 


HARDWARE DISASSEMBLY 

The disassembly of the unit was initiated on the evening of 16 August 1993. First, the 
probe end cap was machined off. No obvious defects were evident. Next, the sheath 
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over the coil area was machined partially through its thickness. Finally, the remaining 
stainless sheath membrane was carefully peeled away revealing the potted coil pickup 
assembly. A single axial crack was observed in the potting and continuity checks from 
the electrical connector confirmed that the crack was over the Pin # 3 lead. The 
appearance of the coil is illustrated in Fig. 2. 

The part was resubmitted for micro-focus x-ray examination, however, removal of the 
outer 321 stainless steel sheath did not significantly improve the viewing of the coil 
details. Further visual examination disclosed that the surface crack intersected a void 
in the potting, where the lead wire teflon insulation erupted through the surface Fig. 3. 
The surface of the potting was examined with a Scanning Electron Microscope (SEM) 
prior to being chemically stripping away. The crack appeared widest near the void in 
the potting and its irregular path followed surface void or non-uniformities. 

In addition, it should be noted that the potting appeared to have stratified, in that the 
microballoon filler was concentrated on the side of the coil away from where the crack 
was located. Electrical checks confirmed that machining away the sheath caused the 
intermittent open to become a "hard" open. 

Evaluation of the source of the open condition required that the Hysol PCI 2-007 
potting material be removed in a manner so as to minimize manipulation of the coils 
and lead wires. Mechanical methods were discounted. A solution of Eccostrip and 
water was utilized to soften and dissolve the epoxy. Examination of the part after ~2 
hours in the solution revealed a suspected break in the coil wire. The part was 
allowed to remain in the solution overnight. Visual examination resumed on 18 
August. Continuity checks through the remainder of the coil verified that the coil itself 
was intact. Microscopic examination disclosed that the break was located ~375 from 
braze joint to 32 AWG lead wire (15° into second strain relief turn). 
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FUEL FLOW SENSOR CUTAWAY 



BRAZE 









STS-51 FUEL FLOW SENSOR 



FIGURE 2 




STS-51 FUEL FLOW SENSOR 

LOCATION OF FAILURE 



FIGURE 3 






Section 5.0 


Materials Analysis 


RSS-8912 

5-1 


RSSS812 

12 - 7-83 


38 


MATERIALS ANALYSIS 


SUMMARY 

A systematic examination and tear-down of the RES7005-061, S/N 2582 flow sensor 
was conducted at Rosemount's a facilities in Eagen and Burnsville, Minnesota. 

Material analysis of the sensor consisted of a preliminary Real-Time X-Ray 
examination followed by removal of the sensor's end cap and sheath. Detailed visual, 
Real-Time X-Ray and Scanning Electron Microscope (SEM) examination uncovered 
an axial crack in the epoxy coil potting. The epoxy was then chemically stripped to 
reveal a fracture of a coil wire near its braze joint to the pin 3 lead wire. The fracture 
occurred where the wire spanned the potting crack very near an area of exposed lead 
wire insulation. Subsequent SEM examinations of both halves of the broken wire 
suggested the fracture was caused by tensile overload. Two previous cases of failed 
flow sensors were reexamined and determined to have been caused by tensile 
overload of coil wires that spanned potting cracks. 


RESULTS 

Partial Examination 


A preliminary Real-Time X-Ray examination of the sensor was conducted prior to 
disassembly. Views of the coil area through the 321 stainless steel sheath clearly 
showed the four 32 gage, 0.00942" stranded copper lead wires. However, the 45 
gage, 0.00176" solid copper coil wires were not discernible near their braze joints, 
presumably due to their small size and attenuation of x-rays through the sheath. In 
addition, no unusual conditions were noted in the connections or wires in the 
connector end of the sensor. 

Partial Disassembly 

The sensor end cap and sheath were removed by machining to expose the Hysol 
PC12-007M, glass microballoon filled, epoxy coil potting. An axial crack was evident 
in the epoxy (Figure 1 & 2) that was primarily collinear with the pin 3 lead wire. The 
crack was inspected with a binocular microscope and found to extend virtually the 
entire length of the potting, radiating in both directions from an area of exposed 
insulation of the lead wire. The crack bottom was not visible. The exposed area of 
violet-colored Teflon insulation was estimated from photographs to have maximum 
dimensions of 0.033" by 0.015". 

The coil area was reexamined through the epoxy by X-Ray methods. Each coil and 
lead wire was visible at its braze joint, but no wire fractures or other anomalous 
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conditions were evident. 


The epoxy crack was examined in the SEM and estimated to have a maximum width 
of 0.002". Although primarily axial, the crack diverted slightly in direction to connect 
surface imperfections in the epoxy. Neither the braze joint lead wire nor coil wire were 
visible while viewing down into the interior of the crack. Figure 3 supports the 
conclusion that the epoxy crack initiated around the perimeter of the island of exposed 
wire insulation. 


Epoxv Removal 

The epoxy potting was soaked overnight in dichloromethane to allow it to soften and 
slough away. The softened potting was then gently removed and a coil wire fracture 
was found approximately one and one half stress relief turns from the pin 3 lead wire 
braze joint (figure 4). A binocular microscope examination of the braze area showed 
no evidence of joint overheating. The wire fracture was situated directly below where 
the potting crack had been, in the vicinity of the exposed wire insulation. One end of 
the fractured wire was still attached to the braze joint, while its mating end was 
suspended nearby, above the coil windings. The epoxy crack depth appeared to be 
limited to the microballoon filled potting only and did not penetrate into the general 
mass of windings. The epoxy was strongly adhered to both halves of the fractured 
polyamide-insulated wire, making its complete removal difficult. Electrical tests 
verified this fracture as the only one present in the sensor. 


SEM Examination of Fracture 

A detailed SEM examination of the fracture surfaces was attempted, but was made 
difficult by epoxy residues that deposited on the fracture surfaces during stripping. 

The fracture surfaces showed a semblance of dimpling which in figure 5 might suggest 
a tensile overload failure mechanism. Repeated attempts to remove the residue for a 
clearer examination of the fracture surfaces were unsuccessful. 


Previous Flow Sensor Failures 


Two previous flow sensor failures were reexamined at Rocketdyne to determine the 
failure mode. One (S/N 1969) had a coil wire fracture near the lead to which it was 
brazed: most failures of the sensor have been reported as similar. Another (S/N 
2186) had a fractured l $ i ) wire in the general mass of windings, remote from the lead 
connections. In both cases the fracture was verified by SEM examination as tensile 
overload and occurred where the wire spanned a crack in the potting. 
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FIGURE CAPTIONS 


Figure 1 . Axial potting surface crack. 

Figure 2. Axial potting crack found after sheath removal. 

Figure 3. SEM image of exposed pin 3 lead wire insulation and epoxy crack. 
Figure 4. Fractured coil wire and pin 3 lead wire after epoxy removal. 

Figure 5. SEM image of coil wire fracture. 
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FIGURE 



RES7005-61 FLOW SENSOR, S/N 2582 SSME 2033 
EPOXY POTTING CRACK 6X 
FIGURE 2 



RES7005-6 1 FLOW SENSOR, S/N 2582 SSME 2033 
EXPOSED INSULATION & EPOXY CRACK 75X 
FIGURE 3 
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RES7005-61 FLOW SENSOR, S/N 2582 SSHE 2033 
FRACTURED COIL WIRE 25X 
FIGURE 4' 



RES7005-6 1 FLOW SENSOR, S/N 2582 SSME 2033 
COIL WIRE FRACTURE SURFACE 2600X 
FIGURE 5 
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STRUCTURAL AND THERMAL ANALYSIS 


STRUCTURAL ANALYSIS 

Based on the results of the evaluation conducted, the functional failure of the sensor is 
attributed to the structural failure of the outer sensor potting HYSOL epoxy layer. A 
thermal stress induced crack in the outer layer of epoxy resulted in severing of the 
wire embedded in that layer and connecting the sensor coil bundle to the lead wire. 
The severing of the wire resulted in loss of electrical continuity causing a functional 
failure of the sensor, Figure 1 . 


DESCRIPTION 

Metallurgical evaluation of the failed sensor unit, subsequent to the aborted flight of 
STS-51, revealed a crack in the HYSOL epoxy potting surrounding the composite 
copper/epoxy coil. The epoxy potting contains the 7 strand, 32 AWG lead wire and 
the 45 AWG wire connecting the lead wire to the coil bundle. The investigation also 
showed that the 45 AWG wire connecting the coil bundle to the lead wire was severed 
at the crack plane in the 0.040" thick external layer of epoxy potting. 

Based on a comparison of the relative ductilities of the copper wire (approximately 20- 
30%) and the surrounding HYSOL epoxy (1-3%) it can be concluded, without 
consideration of any other properties of the two materials, that the only way a copper 
wire embedded in the epoxy could fail is if the epoxy cracked. Additional conditions 
for the wire to fail are that the epoxy crack plane crosses the wire and that the wire 
does not debond from the epoxy as the epoxy cracks. Therefore the analytical effort 
carried out to determine the cause of failure concentrated on: 

1) determining if the stresses in the epoxy are sufficient to cause the epoxy to crack, 

2) determining the width of the crack in the outer epoxy layer and whether the width is 
sufficient to stretch the wire beyond its ductility limit and 

3) determining whether the shear bond strength of the epoxy is sufficient to prevent the 
wire from debonding. 

Because of the large differences in the thermal expansion between the wire and the 
epoxy, thermal stresses were suspected to be the most probable cause of the epoxy 
crack and the investigation was directed toward quantifying these stresses and 
determining whether the above three conditions for failure could be satisfied by 
consideration of thermal stresses alone. Three finite element models were developed 
to obtain quantitative results needed The three models, as they relate to the 
composite construction of the sensor, are schematically illustrated in Figure 2. 

The first model (Figure 3) is a three layered, pisegment, shell of revolution, of the pole 
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piece, the coil and the epoxy potting. The model is based on the assumption of 
generalized plane strain in the axial direction, requiring only a single layer of elements 
in the axial direction. It was used to determine the nominal thermal stresses in the 
epoxy potting at the minimum temperature the sensor is expected to see in service. 
Only the stresses due to the differences in thermal expansion coefficients were 
computed. The temperature gradients during the initial chilldown of the sensor were 
found to be small and were neglected. 

The second analytical model developed was a circumferential segment model of the 
epoxy layer. This model is illustrated in Figure 4 of the Attachment. This model is 
designed to quantify the amount of "gaping" that would result from stress relief that 
would occur in the event the potting developed an axial crack. 

The third and final model Figure 5 simulates a single strand of 45 AWG copper wire 
imbedded in a semi-infinite field of epoxy. The purpose of this model is to quantify the 
shear stress in the bond between the wire and the epoxy as a fraction of the tensile 
stress of a 45 AWG copper wire imbedded in the epoxy and determine whether the 
bond between the wire and the epoxy would fail before the tensile strength of the wire 
was exceeded. 


Results and Discussion 

The nominal stresses in the outer epoxy layer were determined using both worst case 
and best estimate material properties of the copper bundle and the outer composite 
layer Figure 6. The calculated nominal stresses in the HYSOL epoxy, based on a 
service temperature of -330 degree F, range between 4600 and 10600 psi (see 
following thermal analysis) . These stresses are equivalent to a tensile mechanical 
strain between 0.5 and 1.0% and are sufficient to initiate a crack in the epoxy, 
especially at the outer ligament of the teflon wound lead wire where there is an 
additional stress/strain concentration. Both ductility data and thermal expansion 
coefficient data for HYSOL are relatively "soft". However, best estimates of these 
properties strongly support that the actual strain to ductility ratio is sufficient to cause 
failure of the epoxy. There is substantial loss of epoxy ductility at cryogenic 
temperatures and the predicted tensile strains, including the stress concentration 
caused by the lead wire are in the 1% to 2% range. The most probable failure 
scenario may be described as follows: 

1. the crack initiates in the outer ligament of the lead wire and proceeds more 
or less parallel to the lead wire, 

2. if the 45 AWG wire connecting the core to the lead wire crosses the rack 
plane and the wire does not debond from the epoxy, the wire fails, 
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3. if the 45 AWG wire connecting the core to the lead wire does not cross the 
crack plane or in the event the wire debonds from the epoxy, the wire will 
survive. 

When the epoxy cracks, the wire has a probability of surviving or failing and failure 
depends on the randomness of the progression of the crack and the details of the 
core wire / lead wire attachment. 

The results of the analysis carried out using the second of the three models shows 
that, in the event an axial crack develops in the HYSOL outer layer, the crack width at 
the outside diameter will approach 0.0002". Without wire debond, this crack is 
certainly sufficient to cause the wire to sever, as this stretch must be absorbed over 
an infinitesimal length of wire and produces almost infinite local strain. 

The results of analysis of the last model show that the wire/epoxy bond shear stresses 
are approximately 6% of the tensile stresses in the wire. Assuming a 30,000 psi 
tensile strength in the wire, the maximum shear stresses in the bond will be 
approximately 1800 psi. Based on the best available data for strength of the HYSOL 
epoxy, the wire will fail before it debonds. Metallurgical evaluation of the severed wire 
confirms this conclusion. 

Clearly, there is extremely strong evidence that the epoxy will crack, that the wire will 
not debond and that, in the event the crack plane crosses the wire, the wire will fail. 


THERMAL ANALYSIS SUMMARY 

It was determined with simplified calculations that the sensor reached virtually steady 
state temperature within half an hour of the propellant drop, and that there is no 
significant difference between a 2 hour ground test chilldown and a 9 hour prolonged 
flight chilldown in terms of the degree of the cooling of the flow sensor. It was also 
determined that the slow chilldown transient did not generate any significant thermal 
gradient between the sensor housing and the sensor coil. Both results were later 
verified with a more detailed 2D model of the sensor, the instrumentation port, and a 
portion of the duct. This 2D model was also used to quantify additional chilling of the 
sensor due to engine mainstage operation. 


Sensor Chilldown Simplified Calculations 

The nomenclature used in the discussion is shown on the cross-sectional diagram of 
the sensor and the duct port in Figure 7. 

A series of single node lumped capacitance calculations were carried out. It was 
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recognized that the heat transfer is driven primarily by the boiling hydrogen in the 
duct, and that there is comparatively little effect from the ambient environment since 
both the sensor and the sensor port are insulated with rigid polyurethane foam. 
Therefore, the simplest and quickest approach was to calculate the port chilling due to 
the boiling hydrogen first, and then use the result from it to calculate the sensor flange 
and housing chilling, and the result from this second step to drive the sensor coil 
chilling. 

The cooldown of the sensor port metal mass was calculated by using an average 
boiling hydrogen film coefficient of 20 Btus/hr-ft 2 -°R from Seader et. al. m , and a 
constant fluid temperature of 40 # R. An’ equivalent conductance of 0.32 Btu/hr-ft - # R 
was used for the polyurethane insulation in series with the free convection heating 
from the ambient or engine compartment environment, assumed to be at a steady 
temperature of 460°R. The lumped capacitance approach is justified by a Biot number 
of 0.15 based on the boiling heat transfer film coefficient and a volume to surface area 
ratio of 0.6 inch. 

Starting from an initial temperature of 530°R, the port approaches a chilled steady- 
state temperature of 59°R, with a temperature of 60.8®R achieved after only half an 
hour of chill. A temperature versus time plot for the port is shown in Figure 7 P] , 
together with the sensor coil and housing which is discussed below. 

The cooling of the sensor flange and housing was done in the second step, using the 
calculated duct port transient temperature as the driver. The conductance across the 
air gaps around the sensor tip was compared with the conduction through the 
thickness of the sensor housing, and it was found that the latter was an order of 
magnitude greater than the former. Most significant was the effective contact 
conductance assumed between the port and sensor flanges, (Figure 7), which was 
studied parametrically. Later, it became evident that a contact conductance value of 
1500 Btus/hr-ft 2 -°R is believed to be more reasonable, it can be concluded from Figure 
8 that the flow sensor takes only slightly over half an hour of chill to reach steady 
state. 

The calculated sensor housing temperature was then used to drive the sensor coil. 

As anticipated, the analysis showed that the temperature difference developed 
between the housing and the coil is not significant due to the slow transient (Figures 8 
and 9). This suggests that the *T that is pertinent to the cracking of the molded 
potting between the housing and coil is the overall slow change of the temperature 
with time, and not the small gradients that develop between the sensor components 
during the chilldown. 
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2d Thermal Model 


One assumption that was necessary in the simplified calculation described above was 
to ignore the conduction from the sensor flange in the first step of calculating the duct 
port chilldown. In the 2D model, the thermal contact between the sensor flange and 
the port flange was properly accounted for, and its effect on the steady state 
temperatures of the sensor tip and duct port was determined. In addition, a more 
detailed temperature distribution was generated for the entire sensor. The 2D mesh is 
shown in Figure 9 with descriptions of the boundary conditions. Since the flanges of 
the sensor and the duct port are not fully solid in the circumferential direction, solidities 
of 0.22 and 0.59 were applied to the elements of these respective components. 

The baseline steady state result after a 2-hour chilldown is shown in the contour plot 
in Figure 11. As mentioned earlier, a constant contact conductance of 1 500 Btus/hr- 
^-•R was used for the baseline case. There is a large temperature gradient that 
occurs across the polyurethane insulation as expected, and a small axial gradient from 
the connector end of the sensor to the tip where the coil is located. The large *T 
across the insulation is consistent with almost no radial gradient across the sensor tip 
(coil, potting, and housing), and the duct port. 

Plots of nodal temperatures versus time for the baseline case are shown in Figure 12 
for nodes located radially across the sensor tip and the duct port. The effect of having 
the thermal contact between the sensor flange and the duct port throughout the 
chilldown in the 2D model is obvious from this figure. With the heat transfer from the 
sensor to the port properly accounted for in the 2D model, the duct port is predicted to 
reach a higher steady state temperature of 85°R, compared to 59°R from the 
simplified calculation, and the sensor steady state temperature is predicted to be lower 
at 106°R, compared to the worst case 140°R predicted from the simplified calculation. 


Sensor Chilling During Mainstaae Operation 

The 2D model baseline case chilldown analysis was continued for 600 seconds of 
104% RPL engine mainstage operation. The forced convection boundary condition in 
the duct was changed from the boiling hydrogen film coefficient of 20 Btus/hr-ft 2 -°R 
durihg chilldown, to 4800 Btus/hr-ft 2 -°R during mainstage. In addition, a heat 
generation rate of 0.073 Btu/hr was added at the coils, to represent the ohmic heat 
loss generated by the flow sensor signal at mainstage. 

The heat generation rate of 0.073 Btu/hr is too small to have any significance, and the 
sensor coil chills further during mainstage. As shown in Figure 13, the port cools 
down further from 85°R to 56 # R, and the sensor also cools down further by 26°R, from 
106°R to 80*R during mainstage. Overall, this means a sensor tip cooling of 530*R- 
80°R= 450°R, from the start of chilldown to engine cutoff. This overall *T based on 
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estimate of 530°R-140°R= 390 8 R from the simplified calculation. However, since the 
structural analysis ongoing at the time indicated that a *T= 300*R was sufficient to 
cause cracking of the molded potting 141 , the thermal refinements achieved with the 2D 
model does not change the conclusion in relation to the cause of the sensor failure. 
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FAILURE MECHANISM 
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FUEL FLOW SENSOR FAILURE MODELS 
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FIGURE 5 
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FIGURE 


STS-51A MAIN ENGINE 2 FUEL FLOW SENSOR ANOMALY 
SENSOR AND DUCT PORT CROSS SECTION 
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SENSOR FAILURE CORRELATION 


FUEL FLOW SENSOR FAILURE CORRELATION 

Open circuit failure history for the flight configuration fuel flow sensor, part number 
RES7005-05 1/061, is shown in Figure 1. Twelve sensors have failed out of a 
population of 313 that were shipped by the manufacturer, Rosemount, Inc. These 
parts were manufactured over a time span of 1978 to 1990 (Figure 2). The flow 
sensors have failed on both flight and development engines and only the most recent 
failure, serial number 2582, caused a launch abort. 

Engine hot-fire experience on the failed parts (Figure 3) varies from infant mortality 
failures due to electrical shorts in the pickup coils to a wide range of time (159 to 
25,847 seconds) on sensors that failed due to open circuit. Of the twelve failures, 
nine were the result of open circuits in the pickup coil and three were due to short 
circuits in the coil. All but one of the open circuit failures occurred because of a break 
in the 45 AWG magnet wire. Serial number 2004 failed open circuit due to a fatigue 
failure in a 32 AWG, stranded leakwire. Of the sensors that received fractography on 
the broken wires, three magnet wire breaks were attributed to ductile fractures and the 
one leadwire was a fatigue failure isolated to a workmanship problem. 

Beginning with the failure investigation of serial number 2010 in December 1987, the 
pickup assemblies of failed flow and speed sensors were examined more closely for 
proper strain relief in the coil wire to leadwire braze joint and for shaved insulation 
where the leadwire extends into the potted pickup coil. Also, flow sensors built prior to 
1980 as RES7005-051 parts received a series of rapid thermal shocks (from room 
temperature to liquid nitrogen temperature) during the final assembly process. As a 
result of the failure investigation on serial number 1474, sensors built after 1979 were 
given gradual thermal cycles. 


FAILURE CORRELATION ANALYSIS 

The purpose of the Variable Correlation Analysis, performed as part of the Sensor 
Failure History and Total Variable Summary, was to examine all the available lot 
traceability data for indicators of sensor susceptibility to failure, and/or predictive 
trends among the longest-surviving parts. In particular, the correlations identified 
would be used to estimate the "level of confidence" for each of the existing hot-fire 
assets (sensors which have been on an SSME during hot-fire testing). 
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METHOD 


First, a database was created from all the manufacturing and documentation 
information available from Rosemount for all the fuel flow sensors of the present 
design, which is represented in two dash numbers that differ only in the nature of the 
thermal cycling tests performed for workmanship screening. 

A graphical display of this data was achieved by making scatter plots of each 
information field (y-axis) against sensor number (x-axis). Since Rosemount's lot data 
were alpha-numeric, conversion to purely numeric data was required for analysis 
purposes. The resulting "Lot Codes" (numbers) were displayed in new columns 
beside the original lot designations. From the scatter plots, several observations were 
made: 1. no one information field correlated strongly with even half of the failures 
(i.e., the lots out of which the failed sensor came usually contained high-performing 
sensors as well), 2. correlations were non-random (i.e., failures were not evenly 
distributed among all lot numbers of all lot types), 3. the actual causes of the failures 
(if deterministic at all) were likely to be indirectly related to several of the information 
fields, 4. the causal factors are subtle enough that they could not be discerned by 
viewing the scatter plots alone, 5. some information fields correlated more strongly 
with failures than others. From this understanding of design and fabrication, the 
twelve most important variables were chosen and ranked according to importance. 

A more rigorous analysis was then undertaken, in which lot statistics for each lot type 
(e.g. pickup assembly braze lot, final assembly inspection date, hysol lot) were 
computed for each constituent lot number. A "high confidence lot" was postulated to 
contain: 1 . minimal failures (lot has good ratio of #non-failed units to #total units), 2. 
maximal "experience" (units proven through much hot-fire time and many engine 
starts/thermal cycles), and 3. large population (the more units in the lot, the greater 
the confidence). Averages of the above quantities were computed for each lot in an 
attempt to quantify the correlation between individual sensor lots (traceability 
information including lot numbers and/or milestone dates) and the characteristic 
success rate of each lot type (see appendix for detailed printouts of these statistics). 

A quantitative scoring method was devised (using a multiplicative combination of the 
above factors) to rate each lot number of each lot type on a discrete scale of +2, +1, 

0 , - 1 ,- 2 . 

From this lot rating information, the scores for each of the most important lots which 
comprise a sensor's build history were displayed on a scoring matrix structured in an 
analogous way to the original database. A total score was then computed for each 
sensor from the "hot-fired" population. In particular, each sensor's total "risk 
assessment score" is a weighted sum of its constituent lot scores, with the weights for 
the lot types corresponding to their relative importances: 

Sn = ZwiSi 

Sn = total score for sensor #n 
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Wi = weighing factor for variable "I" (e.g. P/A Braze Date) 

si = score for lot of type "I" of which sensor "n" is a part (e.g. Lot T5) 

This scoring method was then tested using a sensitivity analysis in which the weighing 
factors were perturbed and observations made of the resulting split between the 
averages for the failed sensor group and the highest experience group (each 
containing a population of about a dozen). Also, the "failed set" was varied, with one 
run including all 12 failed units in the analysis, another including only the 9 "coil open 
circuit" failures in the analysis, and a third ( the best one) incorporating all but the one 
failure which (based upon historical details) was considered to be causally unrelated to 
the others. The summary statistics for this sensitivity analysis were displayed in 
scatter plots of the averages ( and their associated standard deviations) vs. sensitivity 
"case" number 


RESULTS 

The optimized model (using the chosen "failure set" and selected weighing factors) 
was used to compute final "risk assessment" scores, which are presented in graphical 
form (Figure 4). 

Three categories were noted and defined for use in DAR's intended to make use of 
the parts (181 hot-fire assets total) most likely to perform well: 

1. "B1” Parts - High (Scores greater than zero). 

Defined two "failed group" standard deviations above "failed group" average 
score, or alternately, one "failed group" standard deviation above B2 group 
average score; Group includes 108 functional parts. 

Recommended use: flight. 

2. "B2" Parts - Medium (Scores > -21 and < zero). 

Defined one "failed group" standard deviation above B3 group average score 
and one below B1, or alternately, above roughly one "non-failed group" st. 
deviation of "non-failed" group average score; Group includes 35 functional 
parts. 

Recommended use: development test monitoring. 

3. ”B3” Parts - Low /Scores < -21). 

Defined as within one standard deviation of "failed group" average score 
(which excludes S/N 1296); Group incles 26 functional parts. 

Recommend use: non-flight dt'i channels. 
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SCREENING RECOMMENDATIONS 


For Flight Purposes 

1. Risk Assessment Score > zero. 

2. Hot-Fire Starts between 5 and 100. 

3. Hot-Fire Time between 1,000 and 25,000 sec. 
For Development Purposes 

1. Risk Assessment Score > -21. 


MODEL SENSITIVITY ANALYSIS AND OPTIMIZATION 


Statistical Method Tested Through Variations of the "Failure Set” 

A "blind run" which incorporated all 12 failed units in the analysis successfully flagged 
the two units known by analysis history to be relatively unrelated to the other failures. 

Two other runs compared a statistical model incorporating only the 9 "coil open circuit" 
failures, with a model (the best one) which included all except the one failure (based ’ 
upon historical details) considered to be the most causally unrelated to the others. 

Among the models, the split between the averages of the failed set and the high-use 
set was considered to be statistically significant in relation to the scatter in the data, 
which indicated that the statistical approach could yield useful information about the 
risk associated with each sensor. 

Statistical Method Tested and Optimized Through Sensitivity Analysis 

Weighing factors for the variables were optimized from an initial baseline (derived from 
Rocketdyne sensor engineering experience in conjunction with Rosemount design and 
manufacturing experience) by testing over 250 different variations and running scores 
each case. 

Observations were made of the resulting statistics (averages, extreme; and standard 
deviations) for various categories (failed sensors, moderate use sensors, and highest 
experience sensors), and optimized weighing factors selected. 
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FIGURE 1 



SSME FUEL FLOW SENSOR- FAILURE HISTORY 
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FIGURE 2 
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SOFTWARE CHANGE 


SOFTWARE CHANGE SUMMARY 


The SSME incorporates two separate flow sensors on each engine. Each flow sensor 
includes two pickup coils. All four pickup coils are used to compute an average 
hydrogen flowrate for use in mixture ratio control. The previous software monitored all 
four coils on each engine (total of 12 per launch) against limits defining a "GOOD" or 
"BAD" coil. Any identified "BAD" coil prior to launch caused disqualification of a 
sensor coil pair (two coils) and a pad abort (STS-51 8/12/93 attempt). 

The new software provides a flow reference computation to which each of the four 
coils can be compared such that "BAD coils can be disqualified one at a time. The 
software permits one failed coil (on each engine) prior to launch without aborting the 
launch, and the engine flies with three good coils. 

The revised flow validation software was originally planned as part of a new software 
block update called 01-6. It's inclusion in 01-6 was a result of a similar sensor failure 
in ground test in July 1992. The software was defined for 01-6 in Jan. 1993 and in 
verification at the Huntsville Simulation Lab (HSL) at MSFC since March 1993. 

The software modification after the STS-51 abort merely lifts the 01-6 flow validation 
change already in verification for four months as part of 01-6 and adapts it to 01-5 
using the identical logic. Other non-related changes as part of 01-6 would not 
complete verification until November 1993 and precluded its use. 

The revised 01-5 software has been exposed to all software verification requirements, 
1185 total test cases including all hypothesized failure modes. The new verification 
requirements match a new software version but really represent a second verification, 
the first as part of 01-6. In addition, an independent assessment and audit is being 
performed by MSFC. Certification will include three engine hotfire tests on a minimum 
of two engines before committing to flight. One of those tests will include operation of 
the engine with a failed coil to verify the software response and subsequent engine 
operation simulating pre liftoff operation. Post equivalent liftoff will include an artificial 
failure in the controller to validate the software response to that failure. 


SOFTWARE CHANGE DISCUSSION 

The software in use during the STS-51 Pad Abort launch attempt was designated 
RRS902M01 AAAA24 . This software is also referred to as 01-5 version AA24 for the 
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Block II Controller and has been used on all flights since STS-52. The fuel flow 
sensor qualification logic used in this version is the same as all prior Block II 
Controller software versions. The requirements for this logic were derived from the 
Block I Controller software requirements. 

The AA24 fuel flow sensor qualification monitors are summarized in Figures 1 and 2. 
The significant features of this version are the four different monitors that become 
active at different times, the Inhibit (pre-start only) and resumable MCF responses for 
the first failure, and the disqualification of sensors as pairs as well as individually. The 
command from the Orbiter to shutdown on the pad originated from the MCF in the 
failure response of the first fuel flow intra-channel failure prior to SRB ignition. This 
test detected the output failure of sensor A2 when it differed from sensor A1 by more 
than 1800 gpm for three consecutive updates. 

Prior to the STS-51 pad abort, the potential for a fuel flow sensor failure was 
recognized and a software change was already in work for the 01-6 software version 
to reduce the risk, (Figure 3). The logic change had already been designed, 
developed, and validation tested at the Huntsville Simulation Laboratory (HSL) at 
MSFC. It was scheduled for STS-62 in February 1994. The only remaining effort was 
completion of testing at HSL for other changes contained in the 01-6 version and hot 
fire certification testing at the Stennis Space Center. 

One of the actions of the Pad Abort Investigation was to initiate modification of the 
AA24 software to include the fuel flow sensor qualification logic in the 01-6. All of the 
requirement change, design, development, software test and hot fire test activities 
were performed on a priority basis to produce a new 01-5 software version designated 
RRS902M01AAAA35 (AA35). The ECP for this change was approved and all required 
lab and hot fire verification testing was successfully completed including a coil failure 
simulation and power bus failure in hot fire, (Figure 4). 

The purpose of the fuel flow sensor logic change is to better utilize the redundancy of 
the four available flow sensors. The concept is to qualify the sensors individually 
instead of in pairs and raise the failure responses up to the next redundancy element. 
The result of this change allows liftoff if at least 3 of the 4 sensors are functioning. 

The AA35 fuel flow qualification monitors are summarized in Figures 5 and 6. The 
significant differences from the previous version are the deletion of the intra-channel, 
inter-channel, and sensor reasonableness tests, the addition of a calculated reference 
flowrate value (Qref) for comparison with the individual sensors, and the elimination of 
the Inhibit and MCF responses for the first failure of either the sensor qualification test 
or the Pulse Rate Converter (PRC) update test. If this software had been in use when 
the STS-51 psd abort occurred, the failure of the flow sensor would have been 
detected and reported by the PRC update test at about 3.0 seconds after engine start 
but because of no MCF in the failure response, no shutdown would have been 
commanded. The mission would have continued normally with the three remaining 
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good sensors. 

The modified 01-5 software version AA35 allows launch with one fuel flowmeter 
sensor channel failure during engine start. This logic change also modifies the 
qualification method of the flow sensor channels prestart. Instead of comparing the 
intrachannel (A1, A2 or B1, B2) to be within 1800 gpm, the individual sensor channels 
are qualified to Q reference and must be within 0 and 1800 gpm. Failure of the first 
channel prestart will cause the controller to issue a report only FID, a MCF is posted 
for the second sensor channel failure. Since a report only FID is not visible to the 
GPC or ground system computers, a preplanned contingency procedure for launch 
commit criteria (SSME-29) was established for STS-51. 

This procedure monitors the fuel flow sensor channels manually. If the report only FID 
is posted during prelaunch conditioning prior to engine start and is caused by actual 
fuel flowmeter motion as a result of tanking or MPS operations, then a controller reset 
can be issued to clear the FID and proceed with the countdown for launch. It is also 
noted in the procedures that a controller reset will cause the engine bleed valves to 
close, therefore requiring a 60 minutes of continuous bleed flow prior to engine start to 
maintain a proper start sequence. The countdown is to be scrubbed if the FID is 
reported and is not related to the LH2 system because the failure implies an 
electronics malfunction within the controller circuitry, (Figure 7). A FID occurring 
between APU start and T-31 seconds will result in a launch scrub condition since 
there is insufficient time for discussion. This procedure was accepted by the Shuttle 
management team for STS-51 based on the relative MTBFs described in Figure 8. 
Because of the possibility of false failure indications, an examination of the flow 
measurement system failure modes was made to determine the possible meanings of 
pre-launch failure indications. It was found in the nominal no-flow pre-launch 
conditions that sensor and harness failures are not detectable. The only detectable 
hardware failure is an intermittent failure in the controller PRC electronics. It was also 
found that propellant system operations during the pre-launch period could create 
false failure indications. 

In order for the software to distinguish between these failure indications and reject the 
false ones, it is assumed that a qualification failure is not a PRC failure unless the 
failure is persistent. If the failure is not persistent, sensor qualification strikes are 
cleared and no failure will be reported. This logic was included in the AA37 software 
because it minimizes the possibility of reporting false failures and the need to perform 
a controller reset in order to restore a falsely disqualified sensor. 

A revision to modify the software response to a resumable MCF for the first fuel flow 
sensor failure prior to engine start is planned for the su; .equent flights. This will allow 
the ground system computers to monitor for the MCF automatically and eliminate the 
need for a manual monitoring of the launch commit criteria. 
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FUEL FLOWRATE MONITOR 

QUALIFICATION 
01-5 AA24 
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NOT ACTIVE DURING SENSOR CHECKOUT OR CONTROLLER CHECKOUT 
INTRA-CHANNEL TEST FAILURE REQUIRES 3 CONSECUTIVE PRC UPDATED STRIKES 
PRC, REASONABLENESS TESTS FAILURE REQUIRE 3 CONSECUTIVE MAJOR CYCLE STRIKES 
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FUEL FLOW RATE IGNITOR (01-5 AA35) 
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SENSING SYSTEM 



FIGURE 7 















FUEL FLOW SENSING MONITOR LOGIC 

PRELAUNCH LOGIC COMPARISON 
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Section 9.0 


MTBF Comparison 
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MTBF COMPARISON 


FAILURE PROBABILITY (MTBF) IMPACT 

Table 1 depicts the gain associated with the software modification. By allowing liftoff 
with one of four sensors failed per engine the pad abort MTBF (best estimate) 
increases from one in 92 flights (using all nine experienced failures) to one in 67,000 
flights. 

With the revised software, liftoff can occur with one sensor already failed. The vehicle 
is then one failure away from Electrical Lockup because subsequent failure of the 
cross channel Input Electronics would disqualify two more flow sensors. An 
assessment of the probability of Electrical Lockup was performed to determine the 
severity of this concern. Failure probabilities for the orbiter electrical power buses as 
well as each engine controller must be considered Figure 1. One power bus failure 
affects two separate engine controllers via their respective input electronics which in 
turn affects two flow sensor coils each. One power bus failure will result in four flow 
coil failures. 

The results of this study are presented in Table 2 and indicates the overall risk of 
Electrical Lockup increases from 1 in 827,000 flights to 1 in 536,000 flights. It was the 
opinion of the SASCB that the reduced pad abort risk outweighed the increase in the 
risk of Electrical Lockup after liftoff. This opinion provided the rationale for approval of 
the AA35 software. 
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SYSTEM ASSESSMENT 
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FIGURE 1 



PAD ABORT MTBF 



TABLE 1 













ELECTRICAL LOCKUP MTBF 
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(1) BASED ON ORBITER POWER SUPPLY MTBF - 7692 FUGHTS 

(2) BASED ON ONE CONTROLLER IE FAILURE IN 179,000 CHANNEL HOTFIRE SECONDS 




Section 10.0 


Hazards / FMEA CIL Impact 


RSS-8912 

10-1 


RS5H12 

12/17/M 


92 


HAZARDS / FMEA CIL IMPACT 


Disqualification of two fuel flow sensor channels during start is addressed as a cause 
for vehicle commanded shutdown due to an MCF. This is documented in hazard 
report ME-G6A (Abnormal Thrust Loads) paragraph 2B1. Failure of both sensors 
(A&B) or one sensor channel (during prestart, start, or mainstage) and the cross- 
channel IE during mainstage are covered as causes for electrical lockup. This is 
documented in hazard report ME-G4M (Loss of Thrust) paragraph 2B. 

The software logic changes enhance safety risk by greatly reducing the probability of a 
pad abort while maintaining a very low probability of attaining electrical lockup during 
mainstage. 

The FMEA/CIL has been updated to show the software related/engine effects of the 
revised software logic. No additional failure modes were identified as a result of the 
software change (Figure 1). These are reflected in the controller, harness and sensor 
FMEA/CILS. The effects of these failure modes are already covered in Hazard 
Reports ME-G6A and ME-G4M. There is no impact to the hazard analysis. 

Intermittent fuel flow electrical output signals, resulting in off-nominal mixture ratio 
operation, are also identified as criticality 1R failure modes in the FMEA/CIL(s). The 
effects of these failure modes are already covered in Hazard Reports ME-G6A and 
ME-G4M as "erroneous redline shutdown". 
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FMEA/CIL REQUIREMENTS 



Rockwell International 



Section 11.0 


NASA LeveM and STS-51 L-2 Closeout Briefing 
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NASA LEVEL-1 AND STS-51 L-2 CLOSEOUT BRIEFING 


The results of the team investigation were presented by Byron Wood to the NASA 
Level I PRCB via telecon on 8/24/93 and to the Mission Management Team (STS-51 
L-2 Day) on 9/10/93 at KSC. The investigation findings and rationale to fly STS-51 
(OV103) were included in the presentation. 


RSS-8912 

11-2 


RSS8912 

12 - 7-93 


96 






IO to 
^ 0* 

< $ 



00 <r 



c n z 


DC 

o 

m 

< 


o 

< 

Q. 





97 


Rockstdyns Division 



STS-51 PAD ABORT INVESTIGATION 
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FMEA/CIL REQUIREMENTS 
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Rockwell International 

Rocfcstdyr* Division 



STS-51 ABORT FLOW SENSOR DATA 



TIME FROM ENGINE START (SECONDS) 



ENGINE PERFORMANCE NOMINAL 






SSME SCHEMATIC 
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FUEL FLOWMETER 





STS-51 PAD ABORT 

ME-2 (ENGINE 2033) FUEL FLOW SENSOR 



FUEL FLOW MEASUREMENT 

LAYOUT AND PRINCIPLE OF OPERATION 
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FUEL FLOW SENSOR CHECKOUT 
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FLOW SENSOR SOFTWARE LOGIC 
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Rockwell International 

Flock «tdyn« Division 


FUEL FLOW SENSOR 

RES7005-061 CUTAWAY 






FUEL FLOW SENSOR 





FUEL FLOW CIRCUIT 

BLOCK DIAGRAM 
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1 ' FUEL k0W SENSOFl CHECKOUT' 

DETERMINE INTEGRITY OF BOTH SENSOR CIRCUITS ON EACH CHANNEL 



< 

x 

o 

X 

o 

< 

111 

z 

O 


Z> LJU 

o 3 

£ < 


o 

X 

O 

CO 

z 

LU 

CO 

LU 

z 

O 

O 

i- 

z 


X 

O 

CO 


LU 

X 


< z 


g co 

^■-5 
S 

X 

O 


uj g 
co 


z 

O 


2 

CO 


< 

o 


CO 

LU 

N Q 

^ Q_ 

LO O 

t- 01 
X OL 

LU 

CO 


IU 

X 

£ 

CO 

UJ 

< 

Q 

X 


I — 

o 

LU 

X 

X 

8 8 
5 § 



CO 

CO 

CO 

CO 

CO 


LU 

LU 

XI 

UJ 

LU 


X 

X 

X 

X 

X 

CO 

3 

3 

3 

3 

3 

Hr 

_l 

_J 

_l 

_J 

_J 

1 

— ) 

< 

< 

< 

< 

< 

CO 

LU 

X 

X 

X 

X 

X 

O 

O 

O 

O 

O 

X 

z 

z 

2 

z 

z 




CM 





CD 

CO 

l - 




3 

3 

X 




X 

X 

O 



1— 

o 

o 

CO 



3 

CO 

CO 

< 



CO 

I- 

z 

LU 


q 

ol 


LU 

§PI 

c3" 

LU 
h-CO 
LULU 

o>- 


X 

O 

z 

LU 

H 

< 

X 

LU 

X 

O 

>■ 

< 


X X 


X 


I- 

z 

LU 

> 

LU 


O 

X 

o 

LU 

X 

o 

o 

< 

X 


X 

0 
z 

3 

5 

1 

LU 

X 

X 


X X H 
O O QC 
z z O 

3 9 

3 2 

LU LU CO 
X O 
X X 


3 

< 


X 

X 


3 


CO 

co 

CO 

CO 

CO 

O 

XI 

O) 

1 

O) 

0) 

1 

a> 

i 

Oi 

X 

h- 

1^ 

CO 

CO 


CO 

X 

< 

CM 

T- 

CM 

T" 


o 

o 

co 

1 

N- 

1 


CO 


LU Qj 

Q Q 

CO CO 

11 


O O 

CO CO 
CO CO 

3 2 

£ £ 
3 3 
Z Z 
h- I- 

z z 
O O 
o o 


\ 



113 


TEMPERATURE DEPENDANT FAILURES 
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Rockatdyn* Division 



FUEL FLOW SENSOR FAILURE HISTORY 
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STS-51 SENSORS 
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STS-51 SUPPORT LOGIC 




FUEL FLOW SOFTWARE LOGIC CHANGE 




O 
I — 
CO Z> 
O O 


O 

O 

LU 

CO 

o 

LO 

o 


O 

I- 

co 

Q 


o 

O 
LU 
CO 
in o 
co in 


O O 
GC GC 
LL LL 

2 2 
0. Q_ 
0 0 

o o 

0 o 

CD 00 
CO T- 

z z 
< < 

1 X 
H I- 

C 0 CO 
CO CO 
LU LU 


• • 


W) 


® 5 

£ * 
— a 

1 1 
•g ! 

o 

QC 



127 


HIGHER START LIMIT COMPENSATION FOR START VARIATIONS 
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NOT ACTIVE DURING SENSOR CHECKOUT OR CONTROLLER CHECKOUT * 
INTRA-CHANNEL TEST FAILURE REQUIRES 3 CONSECUTIVE PRC UPDATED STRIKES 
PRC, REASONABLENESS TESTS FAILURE REQUIRE 3 CONSECUTIVE MAJOR CYCLE STRIKES 
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(1) • FUEL FLOWRATE QUALIFICATION TEST FAILURE REQUIRES 3 CONSECUTIVE PRC UPDATED STRIKES 
• PRC UPDATE TEST FAILURE REQUIRES 3 CONSECUTIVE MAJOR CYCLE STRIKES 
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FUEL FLOW LOGIC 

SOFTWARE VERIFICATION 
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REDESIGN (POTTING) SENSOR 


SOFTWARE VERIFICATION HOT-FIRE 




BLOCK II SOFTWARE 

VALVE POSITION INITIALIZATION 
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PREBURNER VALVES COMMAND BIAS 
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FLIGHT RULE 5-33 

MANUAL S/D FOR HYP OR ELECTRICAL LOCKUP 
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Rockwell International 


SSME FAILURE HISTORY 

DATABASE FOR PROBABILITY CALCULATIONS 
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CONTROLLER INTERNAL FLOW SENSING ELECTRONICS FAILURE 




FUEL FM LOGIC CHANGE (AA35) 

LAUNCH COMMIT CRITERIA IMPACT 
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FUEL FLOW SENSING MONITOR LOGIC 

PRELAUNCH LOGIC COMPARISON 
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Rockwell International 



STS-51 PAD ABORT 

RATIONALE FOR FLIGHT 
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FUEL FLOW LOGIC CHANGES FOR STS-58 
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NEW SENSOR DESIGN 
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PRODUCTION HARDWARE (4 ENGINE SETS) BY 02/94 
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PERFORMING SENSOR CHECKOUT DURING PSN-3 
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PERFORM SENSOR CHECKOUT DURING PSN-3 
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LOCKUP PROBABILITY ASSESSMENT 

ELECTRICAL LOCKUP 
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LOCKUP PROBABILITY ASSESSMENT 

HYDRAULIC LOCKUP 
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Honeywell 


Space Systems Division 
Honeywell Inc. 

13350 U.S. Highway 19 North 
Clearwater, Florida 34624-7290 
813 539-3273 
813 539-3347 Fax 

09 September 1993 

CEL- K-472- 1108 

Rockwell International Corporation 
Rocketdyne Division 
6633 Canoga Avenue 
Canoga Park, CA 91303 

Attention: Mr. R. E. Bartley 

Subject: SSMEC DEPOT P.O. R90SPA89550074 

Customer Engineering Letter - 3-SSEC-2332 
' F42 HEALTH CHECK 


Gentlemen: 

Under separate cover, we have forwarded four (4) copies of the subject CEL, in 
response to the above reference, to Mr. R. Precourt, one (1) copy to Mr. G. Brown 
and one (1) copy to Data Management 

Should you have any questions, please contact the undersigned at 813-539-3273. 


Yours truly. 



Contracts Specialist 


CEL/mnr 

cc: R. A. Precourt - PA 19 (4) 

G. Brown - PA05 (4) 

Data Management - Rocketdyne - AB16 (1) 

T. McLeod - Rocketdyne Resident - 848 5 (2)(Intemal) 
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HONEYWELL 

Avionics 

Clearwater, Florida 


C.E.L. NUMBER 3-SSEC-2332-Rev. A 
9 September 1993 
Page 1 of 4 


Rockwell International 
Rocketdyne Division 
6633 Canoga Avenue 
Canoga Park, CA 91303 

Attention: R.A. Precourt, Project Manager 

Avionics Subcontracts/P A-1 9 

Subject: F42 Health Check 


SUMMARY: 

F42 completed all testing without incident on August 28, 1993. It was returned to 
Honeywell for a health check on August 25, 1993. This unit had reported a Channel A 
Q1A2 Flowrate failure which resulted in a launch abort. Health check included special 
tests specifically designed and performed to verify the isolation and integrity of the 
Q1A2 flow signal channel. Environmental exposure was performed with an 
oscilloscope monitoring the Q1A2 flow signal channel at all times; this included three 
thermal cycles (one cold start, two high voltage) and 69 minutes of vibration. Pre and 
post environmental Automatic Test Equipment System (ATES) functional tests were 
also performed. Worst case analysis determined that a short from an adjacent signal 
path would result in a maximum current six times less than the current required to fuse 
the Q1A2 flow sensor coil. Health check revealed no deficiencies in the performance 
of F42. Analysis revealed no viable failure scenario which warrants any concern for 
the integrity of F42. 

CONCLUSION: 

Since F42 experienced no failures during the STS 51 launch abort and based on the 
successful completion of the health check, F42 was returned to Stennis Space Center 
on September 2, 1 993. 

ANALYSIS: 

Review of the internal controller wiring showed that the ±15V signal paths were the 
highest regulated voltage sources adjacent to the Q1A2 flow signal path. No 
unregulated voltage sources are in the proximity of this path. It was then determined 
by worst case analysis that the ±15V sources could supply no more than 79 mA if 
shorted directly to the Q1 A2 flow signal path. The resulting current is six times less 
than the current required (500 mA) to fuse open the coil in the Q1A2 flow sensor 
(based on a 190 Q coil resistance at cryogenic temperatures). At room temperatures 
the resulting current (12.8 mA) from a short would be thirty-nine times less than the 
fusing current of the Q1 A2 flow sensor coil (11 70 at room temperature). 
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C.E.L. NUMBER 3-SSEC-2332-Rev A 
9 September 1993 
Page 2 of 4 


INVESTIGATION: 

F42 was received on August 25, 1993. A visual inspection (“OK*) and internal 
pressure check (8.5 psig) were performed. Routine cleaning of the controller and 
connector mating surfaces was omitted, connector savers were installed. Electrical 
bonding of Outboard Cover to chassis (0.06 mfl) and Inboard Cover to chassis (0.05 
mQ) was verified. This completed incoming receiving inspection. No anomalies or 
deficiencies were observed. 

A baseline pre-environmental ATES functional test was performed without incident. 
Flow signal channel data was reviewed and compared against data from previous 
ATES functional tests (see Table 1). No discernible change in the test data was noted 
in this comparison. 

Flow signal Channel resistance was measured using a hand held Fluke as follows: 


J107 A wrt B 

Fuel Flowmeter 

Ch A (Q1A1) 

PRI 

* 632Q 

J107B wrt A 

Fuel Flowmeter 

Ch A (Q1A1) 

PRI 

* 587Q 

J107 C wrt D 

Fuel Flowmeter 

Ch A (Q1A2) 

SEC 

82.38 kQ 

J107 D wrt C 

Fuel Flowmeter 

Ch A (Q1A2) 

SEC 

69.68 kQ 

J108 a wrt b 

Fuel Flowmeter 

ChB(QIBI) 

PRI 

82.25 kQ 

J108 b wrt a 

Fuel Flowmeter 

ChB(QIBI) 

PRI 

69.68 kQ 

J108 W wrt j 

Fuel Flowmeter 

Ch B (Q1B2) 

SEC 

* 592Q 

J108 j wrt W 

Fuel Flowmeter 

Ch B (Q1B2) 

SEC 

* 633Q 


(*500 Hz FET Switch, DG184 IE3) 

A flight-type flow sensor (P/N 148AL, S/N 545) was connected as follows to perform 
fault insertion test and thermal cycle testing of the Q1A1 and Q1A2 flow signal 
channels. 

Sensor Controller 


Pin 1 

J107 

Pin 2 

J107 

Pin 3 

J107 

Pin 4 

J107 
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FAULT INSERTION: 


Short 

J107 A 

to 

Short 

J107 C 

to 

Short 

J107 A 

to 

Short 

J107C 

to 

Open 

J107 

at 

Open 

J107 

at 

Open 

J107 

at 

Open 

J107 

at 

Open 

J107 

at 

Open 

J107 

at 

Open 

J107 

at 

Open 

J107 

at 


J107 B , While running 
J107 D While running 
J107 B While running 
J107 D While running 
A While running 
B While running 
C While running 
D While running 
A While running 
B While running 
C While running 
D While running 


in Group 1 Sensor mode 
in Group 1 Sensor mode 
in Normal Sensor mode 
in Normal Sensor mode 
in Group 1 Sensor mode 
in Group 1 Sensor mode 
in Group 1 Sensor mode 
in Group 1 Sensor mode 
in Normal Sensor mode 
in Normal Sensor mode 
in Normal Sensor mode 
in Normal Sensor mode 


Controller responses to the above fault insertion test were correct and as expected. 


The flight-type flow sensor was removed to perform a manual input filter test for Q1 A2 
This manual test verified the low pass filter has a roll-off frequency of 127 ± 32Hz. In 
addition, data from the ATES functional test of 11 June 1992 was compared with the 
pre/post environment ATES functional test. Results are below: 


Q1A1 filter Roll-off 
Q1A2 filter Roll-off 


6/1 1/92(ATES #1) 

131 Hz 
127 Hz 


8/26/93 (ATES #21 

120 Hz 
122 Hz 


8/28/93 fATES #2) 

122 Hz 
126 Hz 


With the flight-type flow sensor re-connected to F42 the thermal chamber was ramped 
to -45°C. All temperature ramps were performed in the Group 1 Sensor (GRIS) 
checkout mode. This allowed virtually uninterrupted monitoring of the 500 Hz test 
signal (J107 A wrt B , J107 C wrt D) with the digital oscilloscope set to trigger on any 
changes. No voltages were seen to have been generated by the controller on the 
Q1A1 or Q1A2 inputs on the flight type flow. sensor. F42 was powered-off for a four 
hour cold dwell. A cold start was then initiated and the Controller completed the first 
thermal cycle without incident. This concluded testing with the flight-type sensor. 

All three axes of vibration were performed with a profile of 10 minutes at -3dB (GRIS), 
3 minutes at OdB (Environmental Command Sequence(ECS)) and 10 minutes at -3dB 
(7 minutes in GRIS, 3 minutes in ECS). The 500 Hz was again continuously 
monitored at the Controller checkout console (CCC) test point panel (J107 A wrt B, 
J107CwrtD). F42 completed the 69 minutes of vibration without incident. (Note: The 
OdB vibration level is the normal controller acceptance test level vibrat'- i 
environment.) 

F42 was returned to thermal chamber and successfully completed the second (high 
voltage) and third (high voltage) cycles with the Oscilloscope monitoring the CCC test 
point panel as before. The GRIS mode was again commanded during all temperature 
ramps to provide additional exposure to any flow signal channel failure mode. No 
anomalies of the 500 Hz were detected by the oscilloscope. 
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A post environmental ATES run was completed on 28 August 1993. Flow-signal 
channel data was compared with a previous ATES run on 11 June 1992 (see Table I). 
No significant shifts were observed. 

In summary, F42 passed all phases of health check. Worst case analysis and special 
testing with the flight-type sensors verified the integrity and isolation of the Q1 A2 flow 
signal channel. F42 was shipped to Stennis Space Center on 2 September 1993. 


Prepared by N. Bier 


M. Kert 

Program Manager 

Space Shuttle Main Engine Controller 



Space Shuttle Main Engine Controller 


TABLE I 

F42 ATES Flow Channel Data 


U 


MODULE 514 - IE Flow Signal Channel Test 



1 1 -Jun-92 

26-Aug-93 

28-Aug-93 

LOW LIMIT 

HIGH LIMIT 

12HZ/.15V Q1A1 

6c83 

6c84 

6c82 

6ab5 

6e17 

12HZ/.15V Q1B1 

6c7e 

6c83 

6c7d 

6ab5 

6e17 

12HZ/.15V Q1A2 

6c85 

6c88 

6c83 

6ab5 

6e17 

12HZ/.15V Q1B2 

6c7b 

6c84 

6c7e 

6ab5 

6e17 

340HZ/13V Q1A1 

03d4 

03d5 

03d4 

03d2 

03d6 

340HZ/13V Q1B1 

03d4 

03d5 

03d4 

03d2 

03d6 

340HZ/13V Q1A2 

03d4 

03d4 

03d4 

03d2 

03d6 

340HZ/13V Q1B2 

03d5 

03d4 

03d4 

03d2 

03d6 

4HZ/1VQ1A1 

ffff 

0000 

0000 

0000 

ffff 

4HZ/1VQ1B1 

0000 

0000 

ffff 

0000 

ffff 

4HZ/1VQ1A2 

0000 

ffff 

0000 

0000 

ffff 1 

>■' 4HZ/1VQ1B2 

ffff 

0000 

0000 

0000 

ffff 


MODULE 515 - IE Flow Input Independance Test at 12 Hz 



1 1-Jun-92 

26-Aug-93 

28-Aug-93 

LOW LIMIT 

HIGH LIMIT 

Q1A1 with Q1B1 

029B 

029A 

029B 

0292 

02A2 

Q1 A1 with Q1 A2 

029B 

029A 

029B 

0292 

02A2 

Q1A1 with Q1B2 

029B 

029B 

029A 

0292 

02A2 

Q1B1 with Q1A1 

029A 

029A 

029B 

0292 

02A2 

Q1B1 with Q1A2 

029A 

029A 

029A 

0292 

02A2 

Q1B1 with Q1B2 

029A 

029A 

029A 

0292 

02A2 

Q1A2 with Q1A1 

029A 

029B 

029B 

. 0292 

02A2 

Q1 A2 with Q1 B1 

029B 

029A 

029B 

0292 

02A2 

Q1A2 with Q1B2 

029B 

029A 

029A 

0292 

02A2 

Q1B2 with Q1A1 

029A 

029A 

029B 

0292 

02A2 

Q1B2 with Q1A2 

029B 

029B 

029A 

0292 

02A2 

Q1B2 with Q1B1 

029B 

029B 

029 B 

0292 

02A2 



Internal Letter 

Date: . 30-August-1 993 



Rockwell International 


No: . 93-PS-1 07-1 1 2 


TO! (Nam*, Organization, Internal Address) 

■ G.H. Skopp & J.L. Pennock 
. Depts. 709 & 477 
. Canoga-Rocketdyne 

subject: . STS-51 Abort Team Action Item #30 


FROM: (Name, Organization, internal Add rani. Phone) 

• P. J. Brzeski 

. Dept. 107 - AC58 
. Canoga-Rocketdyne 

• 586-6642 


The STS-51 abort on 12 August 1993 was caused when the channel A fuel flow sensor on 
Engine 2033 failed the fuel flow intra-channel (A versus B) qualification limit check. During the 
initial investigation it was wrongly assumed that fuel flow sensor #1 as listed in the ACTS 
database was the channel A sensor. Paperwork listing the serial number of the #1 sensor as 
the failed unit was prepared in order to expedite the failure analysis. When the channel A 
sensor arrived at the vendor (Rosemount) the wrong serial number was on the Rocketdyne 
paperwork. In actuality the #1 sensor is channel B and the #2 sensor is channel A. The #3 
sensor is not used during flight but is installed on the engine. 

The three fuel flow sensors are currently listed in the ACTS database as follows: 

Fuel flow pickup #1 (LRU code J601) 

Fuel flow pickup #2 (LRU code J602) 

Fuel flow pickup #3 (LRU code J603) 

It is requested that the part names be changed in the ACTS database to more accurately 
reflect the sensor channel postions as called out in the Main Engine Controller logic. The LRU 
codes will not change. 

from: Fuel flow pickup #1 to: Fuel flow sensor CH B 

from: Fuel flow pickup #2 to: Fuel flow sensor CH A 

from: Fuel flow pickup #3 to: Fuel flow sensor NFD 

Even though the MCC Pc sensors #1 and #2 are channels A and B, respectively, in order to 

maintain consistency the part names should be changed as follows: 


from: Main chamber press sensor #1 to: Main chamber press sensor CH A 
from: Main chamber press sensor #2 to: Main chamber press sensor CH B 


As with the fuel flow sensors, the LRU codes will not change. The channel A sensor 
LRUs are J201 or J231 and the channel B sensor LRUs are J202 or J232. 


Paul Brzeski ' 

SSME Flight Support Team 


J. Rivetti (AB08) 

A. Hill (PA07) 

v ~-- / G. Gilmartin (AB32) 

P. Seitz (AC58) 


B. Wood (AC04) 

K. Kan (AC58) 

D. Hausman (AC58) 

STS-51 Abort Team Files (AC58) 


Form 131-R(CG) New 12-92 
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MAIN CHAMBER PRESS SENSOR CH A (LRUs J201 or J231) 
MAIN CHAMBER PRESS SENSOR CH B (LRUs J202 or J232) 



